From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_PASS autolearn=no autolearn_force=no version=3.4.5 Received: by atuin.qyliss.net (Postfix, from userid 496) id C0BB9BFEB; Wed, 14 Apr 2021 22:20:56 +0000 (UTC) Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 85A11BF2C; Wed, 14 Apr 2021 22:20:50 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 2BE90BF2A; Wed, 14 Apr 2021 22:20:49 +0000 (UTC) Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12olkn2066.outbound.protection.outlook.com [40.92.22.66]) by atuin.qyliss.net (Postfix) with ESMTPS id A9202BFCA for ; Wed, 14 Apr 2021 22:20:44 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZARXepmVYdFm1xPF/+v/ybJ+t6T6HNJGul6pad2eYw1Z8oZy2JJ+zbzaJFL28tT5ULxojEkMice6+oam4KH/kl8nvDOyChU2U7fxG7GAUt7ruhlaHZy06XG/okhWSGDlyyLf1o5Ln/dHtkUr6mTTJGrovhqop/T2+Qc2qbTKrCKIp4imb78NBZ6mgrHhez8xXX5Wkgm8mgc0m0hYpLrI3XqEwN2fX3NATMIjzxB6XdLfl1JZZhnQuRloUifsPX3WHvWenFIIlzwfw1zJVQr84cdnJJO34CrxMK4ToME5oOreKV1jCUVb132SD/PKhu8ETH5Q0CfKVv9mQt3T9a7r3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0qrbn3yxIJ4LGLXDJuFFE/Qm2Eg2LOccvg+FskY6/Lk=; b=PkPVVK2XfIT7lNFG5pW30coPA55HRLgpl7os+hg1U5fIxRxApUdncgg2sfrDXdcmsVf3jUx2APGEjlZsKlky8ouQYgHm5LfqxZyQexs0SpNK1yuov53b1enjwtlV1gnFp3rtcykGIViDeCH0Ll+uUo2sMRWzrk3B4ylhbHMN/Z2RM0mg8e4DzVoOoxW10cOsWsdQO937e2yFrHFD2dvZQu1t6hq6jjUndfzyZft5kUlI32U/3a275LQ8cDTT7bOWPiDaKyH+HTPGHWJU9OsRJQMcDXbpVVR7+8LrcTojfeOnVFcDYeN+JtPDZWqQhYT22X4oOwMt4V8HS/L+ipD7hQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0qrbn3yxIJ4LGLXDJuFFE/Qm2Eg2LOccvg+FskY6/Lk=; b=JKQYztGK6X+KJ/9DvLhAoKnUUL7bmM2Z6U/r5lqQk1wiil7MWjbM8SPSOcGyZrNQLNYn3V6cyqXJSfPtAxPD4a2vkoPd2kc/Mvx/rH40qrHteoEr+nmg0WHveEmHmF8FEaw/ud254Wg48nN5X8ue2buBwvFLM9Jv+jxHUJ8MsMxaWfg9RlOZ1ifjmcpTK3R/YSGddIKdSqGTf6NVxYmj3Bm90EiOSlObsaIdvd5HvS0Hn+YL0U9B0Z8WZ1H5q1wai1XPanHV5x7tB4tklCkWvkaAfILqMw+estQtVHdsfchScFu9KdHPmrRV8lygXNeJdoVFUl/Jxhk7d5b/Wgt8dQ== Received: from DM6NAM12FT047.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc64::47) by DM6NAM12HT098.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc64::232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.6; Wed, 14 Apr 2021 22:20:42 +0000 Received: from SJ0PR03MB5581.namprd03.prod.outlook.com (2a01:111:e400:fc64::50) by DM6NAM12FT047.mail.protection.outlook.com (2a01:111:e400:fc64::319) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.6 via Frontend Transport; Wed, 14 Apr 2021 22:20:42 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:0D58227E5A91B2C2676E8DB1FDF53B19ADA8AA745749B2B5D8DC19AC576BC432;UpperCasedChecksum:94B2098462A458E3669D57A5578823FDF600DE892D8B5EECA43E19C063F888C6;SizeAsReceived:8443;Count:44 Received: from SJ0PR03MB5581.namprd03.prod.outlook.com ([fe80::2437:eb29:a6eb:76fa]) by SJ0PR03MB5581.namprd03.prod.outlook.com ([fe80::2437:eb29:a6eb:76fa%5]) with mapi id 15.20.4042.016; Wed, 14 Apr 2021 22:20:42 +0000 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Subject: Re: [PATCH nixpkgs 00/16] Inter-guest networking From: "Cole Helbling" To: "Alyssa Ross" , Date: Wed, 14 Apr 2021 15:15:32 -0700 Message-ID: In-Reply-To: <20210411115740.29615-1-hi@alyssa.is> X-TMN: [VF1XqD73fwaaDoWd5QhpYKERN3MyC1hG] X-ClientProxiedBy: SJ0PR03CA0360.namprd03.prod.outlook.com (2603:10b6:a03:39c::35) To SJ0PR03MB5581.namprd03.prod.outlook.com (2603:10b6:a03:27b::20) X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost (73.48.197.220) by SJ0PR03CA0360.namprd03.prod.outlook.com (2603:10b6:a03:39c::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16 via Frontend Transport; Wed, 14 Apr 2021 22:20:42 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 44 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 2ff40ad7-ccd0-455b-6188-08d8ff938a8f X-MS-TrafficTypeDiagnostic: DM6NAM12HT098: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: rI6pCd6ZzCUnBLBVJPkxI+5Z29UZmP5+07e//PtcyOEJejIEv9duEyq89W3aNEjHaie7a8q1FVqwO2Qb4sAhDaVT1c0tKu58rOc72Gjj40Da7TCnmvOpmxQGq6Y9r+uDptP+QD5TDw9Z9TNVhMTKg8e5V5hOClybPKyEoWwVMSZJMJpaIjeBZh8d6T17IAUuQen3DR0Qj66VmEB7jIo9KkOd2bp1r/xwAioXv92Hp54e7dL6cgNNrZ5aiPeKUwpL3Rl17WJJctjksqFF/Quo1GccPq5EgtvZF8Npwer5bQJVxt+3I+xpefSl8PSHZ303fK3vsKe4QlX8dR9Z/BWqMNAdALoCduwqbkcDP2/AKXO/GVQiqTyI/COurjlnGRM0ICbiXtwlLjxRP0p92SFvqQ== X-MS-Exchange-AntiSpam-MessageData: zF9/7gVyXIbdjRfCDYHCmoMJmRHLkl8YAubQfw0qC9rL87+h9odz7XtU7ompwbf4JEbVFk90IBivo6QYBx/oB1FrGKf+wSftr/RKYwCBYDgiHZvJsPlZjJJRhM52qmm80afN0+EyLQIYS9WZVIv1jg== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2ff40ad7-ccd0-455b-6188-08d8ff938a8f X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Apr 2021 22:20:42.5152 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: DM6NAM12FT047.eop-nam12.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6NAM12HT098 Message-ID-Hash: FE2ARFDESVF5ZSN3TI2XAKDZS5QRFVWQ X-Message-ID-Hash: FE2ARFDESVF5ZSN3TI2XAKDZS5QRFVWQ X-MailFrom: cole.e.helbling@outlook.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.4 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Sun Apr 11, 2021 at 4:57 AM PDT, Alyssa Ross wrote: > In Spectrum, we want the host kernel to include as few drivers as > possible, to reduce attack service. To accomplish this, we need to > move as much hardware interaction as possible into VMs. This series > introduces proof-of-concept network hardware isolation by passing > through network devices to a VM, and having that VM handle all > interaction with that hardware instead of the host system. [snip] > Alyssa Ross (16): > linux: enable Xen everywhere it can be > cloud-hypervisor: 0.8.0 -> 0.14.1 > mdevd: init at 0.1.3.0 > spectrumPackages.linux_vm: fix cloud-hypervisor hotplug > spectrumPackages.linux_vm: allow config overrides > crosvm: support setting guest MAC from --tap-fd > spectrumPackages: export makeRootfs > spectrumPackages.rootfs: add s6-rc support > spectrumPackages.rootfs: make /var/lib and /var/run > spectrumPackages.rootfs: add dbus configuration > spectrumPackages.rootfs: add connman dbus services > spectrumPackages.sys-vms.comp: init > spectrumPackages.makeRootfs: move to default.nix > spectrumPackages.sys-vms.net: init > spectrumPackages.sys-vms.app: init > spectrumPackages.spectrum-testhost: init > > .../cargo-lock-vendor-fix.patch | 53 ---- > .../cloud-hypervisor/default.nix | 15 +- > ...upport-setting-guest-MAC-from-tap-fd.patch | 294 ++++++++++++++++++ > .../linux/chromium-os/crosvm/default.nix | 1 + > .../linux/kernel/common-config.nix | 13 +- > pkgs/os-specific/linux/kernel/patches.nix | 9 + > pkgs/os-specific/linux/mdevd/default.nix | 28 ++ > pkgs/os-specific/linux/spectrum/default.nix | 6 +- > pkgs/os-specific/linux/spectrum/linux/vm.nix | 7 +- > .../linux/spectrum/rootfs/default.nix | 92 +++--- > .../linux/spectrum/rootfs/etc/group | 1 + > .../linux/spectrum/rootfs/etc/passwd | 1 + > .../linux/spectrum/rootfs/generic.nix | 48 --- > .../linux/spectrum/rootfs/rc-services.nix | 26 ++ > .../linux/spectrum/rootfs/stage1.nix | 25 +- > .../linux/spectrum/spectrum-vm/default.nix | 6 +- > .../linux/spectrum/testhost/default.nix | 205 ++++++++++++ > .../linux/spectrum/vm/app/default.nix | 63 ++++ > .../linux/spectrum/vm/comp/default.nix | 86 +++++ > .../os-specific/linux/spectrum/vm/default.nix | 9 + > .../linux/spectrum/vm/net/default.nix | 165 ++++++++++ > pkgs/top-level/aliases.nix | 6 + > pkgs/top-level/all-packages.nix | 12 +- > 23 files changed, 976 insertions(+), 195 deletions(-) > delete mode 100644 pkgs/applications/virtualization/cloud-hypervisor/car= go-lock-vendor-fix.patch > create mode 100644 pkgs/os-specific/linux/chromium-os/crosvm/0001-crosvm= -support-setting-guest-MAC-from-tap-fd.patch > create mode 100644 pkgs/os-specific/linux/mdevd/default.nix > delete mode 100644 pkgs/os-specific/linux/spectrum/rootfs/generic.nix > create mode 100644 pkgs/os-specific/linux/spectrum/rootfs/rc-services.ni= x > create mode 100644 pkgs/os-specific/linux/spectrum/testhost/default.nix > create mode 100644 pkgs/os-specific/linux/spectrum/vm/app/default.nix > create mode 100644 pkgs/os-specific/linux/spectrum/vm/comp/default.nix > create mode 100644 pkgs/os-specific/linux/spectrum/vm/default.nix > create mode 100644 pkgs/os-specific/linux/spectrum/vm/net/default.nix > > --=20 > 2.30.0 Thanks for the beautiful cover letter. Such a great amount of detail and information brings a tear to my eye! Each individual patch reviewed-by me, nothing stood out as weird or wrong or bad or whatever. I only tested the final result, not each individual patch. Reviewed-by: Cole Helbling Tested-by: Cole Helbling